Best practices to get programmatically Public Key from a keystore in WebSphere Liberty Profile (WLP)

Question

I use currently the following code to get a public key from a certificate from keystore in WebSphere Application Server Full Profile:

        KeySetManager keySetMgr = KeySetManager.getInstance();
        WSKeySet keySet = keySetMgr.getKeySet(KEY_SET_NAME);
        KeyReference[] allKeyReferences = keySet.getAllKeyReferences();
        for (int i = 0; i < allKeyReferences.length; ++i) {
            try {
                KeyReference kref = allKeyReferences[i];
                String keyAlias = kref.getKeyAlias();               
                if (!SIGNER_CERT_ALIAS.equals(keyAlias)) { continue; }
                WSKeyStore wsKeyStore = kref.getWSKeyStore();
                
                String location = wsKeyStore.getLocation();
                
                String type = wsKeyStore.getProperty("com.ibm.ssl.keyStoreType");
            
                String name = wsKeyStore.getProperty("com.ibm.ssl.keyStoreName");
                
                String provider = wsKeyStore.getProperty("com.ibm.ssl.keyStoreProvider");
            
                String password = wsKeyStore.getProperty("com.ibm.ssl.keyStorePassword");
                
                String scope = wsKeyStore.getProperty("com.ibm.ssl.keyStoreScope");
                
                KeyStore keyStore = KeyStoreManager.getInstance().getKeyStore(name, type, provider, location, password, scope, true, null);
                
                Certificate certificate = keyStore.getCertificate(keyAlias);
                
                PublicKey publicKey = certificate.getPublicKey();               

                return publicKey;
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
        return null;

The code above uses proprietary IBM WAS ND classes:

import com.ibm.ws.crypto.config.KeyReference;
import com.ibm.ws.crypto.config.KeySetManager;
import com.ibm.ws.crypto.config.WSKeySet;
import com.ibm.ws.ssl.config.KeyStoreManager;
import com.ibm.ws.ssl.config.WSKeyStore;

Now I need to migrate the application to WebSphere Liberty Profile (WLP), and these classes com.ibm.ws.crypto.config.* not exist in WLP, and the code is not portable, unfortunately.

From what I learned I cannot programmatically access keystores on WLP, is that statement acurate?

I did not find any example how to implement similar approach in WLP.

My understanding at the moment is that I must simply use KeyStore.load(inputStream, password) and store somewhere (or hard code) key store file name and password. Is that the commonly used approach for WLP?

The ultimate goal of migration is Dockerizing the application and migrate to the cloud (OpenShift), so the question is: where to store the keystore ? Inside application, or inside WLP install? I guess the difference is not a big deal, since if the certificate expires, I would need to rebuild the whole Docker image which will include WLP and the application.

Or maybe it's possible to store in cloud and somehow access from inside Docker container. That would be probably the best approach as expiring of certificate won't require image rebuild, simply update the cloud environment.

Any suggestions or experiences or hints are highly appreciated.

I'm not quite sure I'm following what you are trying to accomplish. Your application would get ND certificate and then do what with it? Did you add it to another keystore? An other keystore in WAS's configuration or does the application use it's own? Liberty's default keystore is in /resource/security/key.p12 and if the password was auto generated by Liberty it would be in the server.env file. If I knew what you ultimate goal was there may be other things that could be done to help. — Alaine, Feb 16 '21 at 22:59
Hi @Alaine, thanks for willing to help. I am doing some programmatic verification of public key from signer certificate sent by client (as bytes) with public key of signer certificate stored in WAS ND truststore. The advantage of storing etalon certificate in WAS truststore was that I can handle it via ISC (in case of expired) and no need to provide manually password for trusstore, etc. — Barat Sahdzijeu, Feb 17 '21 at 09:04
Hi @Alaine: What I need for my business logic -- some approach to retrieve PublicKey on server side, preconfigured preferrably via admin console (not hard coded) so I can update it independently from application. I think it should be done via KeyStore.load(), and I am free to choose where from to load it, it can be for example a stream from String from environment variable. — Barat Sahdzijeu, Feb 17 '21 at 09:04
You can get the locations and info on the keystores and trust stores using the JSSEHelper getProperties() method. If you pass null in for the alias name you should get the properties associated with the default SSL configuration. — Alaine, Feb 17 '21 at 16:28

score 0 · Answer 1 · answered Feb 16 '21 at 22:08

0

You may want to check out this: https://www.ibm.com/support/knowledgecenter/en/SSCSJL_4.3.x/sec-tls4apps.html. Although the document is for a cloud pak, it can be used in other container environment.

answered Feb 16 '21 at 22:08

Chunlong

616
5
9

Thanks for your answer, it might help. I guess my blocker at the moment is:if I can access programmatically key.p12 and trust.p12 files from my servlet, without hard coding paths to them, or perhaps if I can get location of those files from WLP's environment variables maybe? – Barat Sahdzijeu Feb 17 '21 at 09:10

Best practices to get programmatically Public Key from a keystore in WebSphere Liberty Profile (WLP)

1 Answers1